Skip to main content

Grok Build Exposed for Uploading Entire Codebase to Google Cloud, SpaceXAI Disables Feature

SpaceXAI's AI coding assistant, Grok Build, has found itself at the center of a data security storm. It turns out the tool was quietly uploading users' entire codebases to Google Cloud by default—including files that were explicitly marked as off-limits and sensitive information that had been scrubbed from version history. The company has now pulled the plug on that feature.

According to a report from Cereblab on Monday, the Grok Build command-line interface packaged up the whole code repository and sent it to the cloud. That's a far broader data grab than what you'd see with similar AI coding tools like Claude Code. Researchers noted that as of Monday's tests, the SpaceXAI server had returned a flag called "disablecodebaseupload: true," and the upload behavior had stopped.

Image

Elon Musk took to X to address the uproar. He said any data that had already been uploaded would be "completely and thoroughly deleted," and stressed that SpaceXAI "always respects privacy settings." But he also added that he hopes users will allow the platform to keep data to help identify and fix bugs.

Lukasz Olejnik, an independent security researcher at King's College London, warned that this kind of large-scale data retention is a big deal. It could expose proprietary source code, security vulnerabilities, personal data, infrastructure details, and access credentials—all of which are prime targets for bad actors.

Key Points

  • Grok Build was uploading entire codebases to Google Cloud, including sensitive and inaccessible files.
  • The data retention scope exceeded that of similar tools like Claude Code.
  • SpaceXAI has disabled the feature and is deleting previously uploaded data.
  • Elon Musk confirmed the action and emphasized privacy, but expressed a desire for users to allow data retention for debugging.
  • Security experts highlight the risks of such broad data collection.